Managing Security and Compliance in the CloudBy Michael Vizard
Managing Security and Compliance in the Cloud
By Michael Vizard
IT organizations frequently find themselves between a rock and a hard place when it comes to compliance issues in the age of cloud computing. There are numerous regulations that, in many instances, make putting data in the cloud problematic. While not every regulation is specific, the spirit of the regulation, if not the letter of the requirement, holds the company accountable for maintaining control over customer data.
Of course, the appropriate control of customer data rarely happens in an era defined by the consumerization of IT. Employees don’t think through the ramifications of putting corporate data on their personal devices or in cloud services that are not managed by the IT organization. In fact, many end users would argue, in the name of productivity, it’s become an absolute necessity to do so. Trying to restrain that employee behavior often puts the IT organization in the untenable position of trying to enforce polices that may not officially exist or come with formal sanctions attached.
“When it comes to the cloud there’s a lot of potential to get in trouble,’ says Larry Miller, director of IT and e-commerce for MainGate, which builds and manages Websites on behalf of sport teams, associations and other businesses.
And just to make matters potentially worse, even in cases where there might be legal sanctions, the fines for violating compliance requirements are rarely levied or are so minimal that they are considered just another cost of conducting business.
“In a lot of cases the fines just aren’t high enough,” says Mike Ellsworth, IT program manager for CareerOneStop, a federally funded job placement site for the state of Minnesota.
Outside of the government, health-care and retail sectors, compliance requirements are subject to a lot of subjective interpretation. And even in the government, health-care and retail sectors there is not much compliance clarity about how it applies to use cases involving mobile and cloud computing.
A recent survey of 798 IT professionals conducted by the Ponemon Institute on behalf of WatchDox, a provider of enterprise-class mobile computing applications, found that more than 80 percent of IT professionals do not know how much of their organization’s regulated data is being stored on mobile computing devices or in the cloud.
The core issue, says Larry Ponemon, president of the Ponemon Institute, is that even if IT discovered that regulated data is residing outside the enterprise, it’s not clear IT is inclined to act on it. Not only would doing so make the IT organization even more unpopular with end users, the IT organization doesn’t have the time, skills or resources needed to track every violation.
The Ponemon survey found that most organizations have weak controls in place. Seventy-three percent of the IT professionals surveyed said they are relying on manual policies rather than automated management applications. “In a lot of cases the IT organizations are taking an ignorance-is-bliss approach to the problem,” says Ponemon.
“A lot of compliance people are not all that technical,” adds Ryan Kalember, chief product officer for WatchDox. “They tend to declare victory right after a policy is written down.”
Of course, it’s not immediately clear just how pressing the issue of compliance in the cloud may be.
While everyone would agree the current situation is not an ideal, most organizations are trying to meet the letter of regulation requirements that are often ambiguous. The reason for this, says Amy Roland, an attorney with Waller, a law firm that specializes in compliance issues, is that the IT innovation moves much faster than regulatory bodies can keep up with. Nevertheless, Roland strongly advises organizations to move to cloud only after sufficient deliberation.
“This is not some decision that should be made willy-nilly basis,” says Roland. “Moving to the cloud needs to be vetted and done after some very careful consideration.”
On the plus side, government spying scandals and the theft of intellectual property by state-sponsored agencies is forcing business and IT executives to think a lot more about compliance and security. The downside is that the need to securely share data using mobile devices is putting a lot of focus on the shortcomings of enterprise IT.
Managing Security and Compliance in the Cloud
Because the internal IT organization is often perceived as overly rigid, employees have taken it upon themselves to solve their own data access and management issues. That frequently means accessing consumer-grade file-sharing services in the cloud with little thought to compliance ramifications.
To address the root cause of the compliance problem, Kent Christensen, virtualization practice manager for the IT services firm Datalink, says IT organizations need to truly manage IT as a service. Only then does IT have the agility to deploy private cloud services that provide the level of flexibility end users require without compromising compliance requirements.
“The awareness of these issues is picking up exponentially,” says Christensen. “This is one reason you see so much interest in private clouds.”
Of course, many private clouds exist in an external data center due to the interest in cost savings. But, in many instances, customers fail to take in account the fact that regulations require that controls be in place for the IT administrators that have access to those clouds.
“The thing people have to remember is that in a lot of instances being in compliance only applies to a single instance of time,” says Major Hayden, chief security architect for Rackspace. “You may have a golden image for your application but you might not be aware of who has an encryption key for your system at any given moment.
For that reason Rackspace became a customer of SSH Communications, which recently launched a risk assessment application that helps IT organizations discover who has access to what Secure Shell (SSH) keys.
“SSH is a huge potential problem in the cloud that a lot of people have not given much thought to,” says SSH Communications CEO Tatu Ylonen.
Of course, a major part of the compliance in the cloud problem would be solved if organizations implemented better security. But a global study of 4,205 IT professionals conducted by the Ponemon Institute on behalf of Thales e-Security, a provider of encryption software, found that 53 percent of organizations transfer data to the cloud regardless of whether it’s encrypted or not. And even with all the awareness concerning cloud security, another 31 percent said they plan to transfer data, regardless of whether it’s encrypted, into the cloud in the next 12 to 24 months.
“There’s a perception that the cloud service provider is going to be responsible for security,” says Richard Moulds, vice president of product management and strategy for Thales e-Security. “But it seems a little too cavalier to assume that’s the responsibility of the cloud service provider.”
Obviously, not all data needs to be encrypted. But when it comes to the cloud, organizations might want err on the side of encrypting as much data as possible when they don’t know who has access to it or where it might end up.
“When the goal is to provide higher levels of security, compliance becomes a by-product,” says Mahmood Sher-Jan, vice president of product management for ID Experts, a provider of data breach risk assessment and analysis tools. “But it can be hard to get the business to understand the return on making those kinds of investments.”
For that reason, ID Experts has been promoting the adoption of the ANSI PHI Project, which is intended to help organizations make the financial case for more investments in breach protection.
There’s no doubt that in terms of IT, anything to do with compliance and security is fraught with risk. But ultimately it’s the job of the CIO to ensure these issues don’t blindside the organization further down the road. Initially, that may mean focusing on training and educating employees about the risks associated with using shadow IT services in the cloud.
But until IT is able to offer a credible set of alternate services, there will always be tension between disaffected employees and IT that will spawn any number of compliance issues. Rather than treating those employees like criminals, the better part of valor will be to securely provide the agility that employees have come to expect from IT.